With the latest updates by the Department of Defense (DoD), a Cybersecurity Maturity Model Certification (CMMC) has to be obtained to be able to do any business with the DoD. With the DoD moving away from self-certification models,  vendors who service the DoD now have new issues facing them if they choose to continue supplying the Defense Industry Base (DIB). The CMMC is now a prerequisite for all DoD contractors. Since there are different levels of cybersecurity maturity levels, the one you wish to achieve will help you decide which type of assistance you will need.

Choosing a Cybersecurity Maturity Model Certification partner does not have to be an intimidating task. There are a few important things that your organization should be looking out for when going through the hiring procedure:


The assessing authorization should be a certified third-party assessment organization.  Your CMMC partner must have C3PAO, without this they are not equipped to provide cybersecurity maturity model certification.


Look for a C3PAO that has a solid background and experience in cybersecurity over an organization that might just offer cybersecurity as a secondary or tertiary service. As C3PAO isn’t only confined to one industry, anyone who pays the fees and meets the specification can acquire C3PAO. This does not always mean they are the best fit for you, or that they can effectively deliver the services. For example, if company A is an IT services company and company B is a cybersecurity specialist business, even though they both more or less fall under the IT industry and are also C3PAO, company B has the capability and expertise to provide the certification efficiently. This is because company B has professional knowledge of the extensive implementation of cybersecurity not only for CMMC, but for your business as well.


Look for providers with knowledge of the NIST 800-171 framework and DFARS. It is best to take on an associate who has previous experience with the structure that the CMMC model is based on. The two main frameworks that the cybersecurity maturity model builds upon are the NIST 800-171 and Defense Federal Acquisition Regulation (DFARS). So when finding and choosing a partner for certification, be sure to check if they have previous experience, specifically with the NIST 800-171 framework. This is the framework that the DoD currently requires an organization to adhere to if they want to engage  the DoD supply chain. Even though it is possible to self certify, many organizations still employ a specialist to ensure that the process was done explicitly and effectively. The only difference with the release of CMMC is that certification from a C3PAO has become a legal requirement for any contractor that does business with the DoD.

SureShield offers compliance assessments for applicable controls, provides audit support and allows maintenance of a state of continued readiness. Using SureShield, you will be able to perform activities required to achieve and maintain CMMC compliance. Your organization can work with us by contracting with us for our ComplyShield solution for CMMC or through one of our MSP partners. After the basic assessment, we provide your team with guidance to achieve compliance based on the completion of “Action Plans”. Check out our website for more information. Read our blog for everything you need to know about CMMC and opportunities and challenges with CMMC. For any questions, reach out to us on Twitter and Linkedin.


In reaction to the growing number of cyber threats which resulted in billions of dollars worth of losses, the Department of Defense (DoD) introduced its newest certification system called the Cybersecurity Maturity Model Certification (CMMC). It was introduced on January 21, 2020. The CMMC is designed to safeguard the important DoD information called Controlled Unclassified Information (CUI) and Federal Contractor Information (FCI). It also attempts to alleviate the possible cyber threats associated with storing and sharing that data.

The CMMC level that an organization will need to achieve depends upon the vulnerability of the DoD information it will work with, and the scale of cyber threats associated with that information. Therefore, the more important the CUI, the higher the CMMC level will be required. Prior to compliance, companies could define their compliance under the Defense Federal Acquisition Regulations (DFARS) and NIST 800-171. Owing to the lack of proof that they had been adhering to security practices allowed companies with security gaps to carry on providing their products and services to the DoD. This inescapably led to breaches and disruptions in the defense supply chain.


  • If your company receives, processes, or creates CUI, your organization will need to be Level 3 or above.
  • If your company handles “High Value Assets (HVA) CUI”, your organization will need to be a Level 4 or 5.
  • If your company does not apply to either of the previous statements above, you will likely only be required to meet Levels 1 & 2.

Read on to find out more about each level.


Level 1 demonstrates “Basic Cyber Hygiene.” The 17 controls of NIST 800-171 rev1 need to be executed by the DoD contractors who wish to pass the level 1 audit. The first CMMC level is about meeting the basic demands to protect the FCI. It ensures that all employees use up-to-date antivirus software applications and safe passwords that will protect them from uncertified third parties. This is the only level where documentations do not need to be audited; the company just needs to perform the processes. All organizations having an active contract with the DoD should be able to achieve CMMC Level 1 compliance without any concerns and with minimal effort required to reinforce their cybersecurity defenses.


Level 2 demonstrates “Intermediate Cyber Hygiene”. This level requires an organization to set up and document practices and policies to manage the implementation of their CMMC efforts. The documentation of application and processes are introduced at this level to ensure practices are performed in a replicable manner. It consists of a subgroup of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Here, DoD contractors must administer another 48 controls of NIST 800-171 rev1 plus seven new “Other” controls.


Level 3 demonstrates “Good Cyber Hygiene”. At this level, establishing, maintaining and resourcing a plan exhibiting the management of activities for practice implementation is needed to be conducted by the organization. The plan needs to include details on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders. Those who would like to attain Level 3 compliance need to constantly evaluate all activities based on their cybersecurity policy. At this level, organizations are expected to support activities and review policies and processes, demonstrating a plan to manage specific tasks. The final 45 controls of NIST 800-171 Rev1 plus 13 new “Other” controls must be applied to achieve level 3 certification.


Level 4 demonstrates “Proactive” cybersecurity. Organizations at this level are able to take correctional action when necessary. They also notify higher level management of status or issues on a recurring basis. In addition to levels 1 through 3, 11 more controls of NIST 800-171 Rev2 plus 15 new “Other” controls must be implemented. Both CMMC Level 4 and Level 5 focus on addressing the changing strategies, methods, and plans used by Advanced Persistent Threats (APTs). These domains include access command, acknowledgement and instruction, layout management, conservation, physical safeguarding, retrieval, situational awareness, and more. At Level 4, organizations are expected to analyse and document tasks for effectiveness and advise upper management on any matters.


Level 5 demonstrates “Advanced / Progressive” cybersecurity. Level 5 requires an organization to standardize and refine process implementation across the organization. Level 5 focuses on the security of CUI from APTs. To achieve this highest level, DoD contractors must implement the final four controls in NIST 800-171 Rev2 plus 11 new “Other” controls. Organizations at this level are expected to clarify and regulate process implementation across the enterprise. The main difference between Level 4 and Level 5 is that stability is achieved across the entire organization by having a proactive cybersecurity plan and standardized processes. Contractors must put in place 171 security controls, which are grouped into 17 groups to achieve compliance with the highest CMMC level.

As your organization moves forward it helps to have an IT risk and compliance management partner that understands the complexities and nuances of dealing with defense department contracts. SureShield ensures ease when it comes to implementing these CMMC level accreditation that companies require to bid for and win contracts with the DoD. Read our blogs about opportunities and new challenges with cmmc and everything you need to know about CMMC for more information on the subject.

Follow us on Twitter and Linkedin for new updates